# Allocation of Resources Without Limits or Throttling (CWE-770) The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated. **Stack:** Python - Prevalence: Wysoka Często wykorzystywana - Impact: Średni Zalecany przegląd - Prevention: Udokumentowane 3 przykładów poprawek **OWASP:** Security Misconfiguration (A05:2021-Security Misconfiguration) - #5 ## Description Without limits on resource allocation, an attacker can consume all available resources, causing denial of service for legitimate users. ## Prevention Strategie zapobiegania dla Allocation Without Limits oparte na 1 regułach detekcji Shoulder. ### Python Add rate limiting to authentication and expensive API endpoints ## Warning Signs - [MEDIUM] API endpoint lacks rate limiting protection - [MEDIUM] API endpoints without rate limiting ## Consequences - DoS: zużycie zasobów - DoS: awaria / wyjście / restart ## Mitigations - Wdroż ograniczenia liczby żądań dla wszystkich alokacji zasobów - Ustaw maksymalne limity dla puli zasobów - Monitoruj zużycie zasobów i wdrażaj alerty ## Detection - Total rules: 3 - Languages: javascript, typescript, python ## Rules by Language ### Python (1 rules) - **Missing API Rate Limiting** [MEDIUM]: Detects API endpoints without rate limiting. Unprotected endpoints are vulnerable to brute force attacks, credential stuffing, and denial of service. Always implement rate limiting on authentication, expensive operations, and public APIs. - Remediation: Add rate limiting decorator to authentication and expensive endpoints. ```python from flask_limiter import Limiter from flask_limiter.util import get_remote_address limiter = Limiter(app=app, key_func=get_remote_address) @app.route('/api/login', methods=['POST']) @limiter.limit("5 per minute") def login(): user = authenticate(request.json) return jsonify({'token': generate_token(user)}) ``` Learn more: https://shoulder.dev/learn/python/cwe-770/missing-rate-limiting